|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IP flooding by using broadcast address
> I believe that it's QUITE rare to have an application that > is both *routed* and uses the broadcast address. This is > made harder when you VLSM, but I belive the majority of > networks are provisioned on an 8 bit boundary, so you can > filter 90% of the traffic by filtering to the .255 address. This is a _very_ bad assumption, with a nasty effect on perfectly valid traffic. Now that bridging (ala switching) is popular again, there are enormous numbers of supernetted class C networks out there. I can think of 10 sites right now, without thinking hard. I'm sure I could find another 100 without too much work. And that's just the sites I know of personally!! This simply doesn't work as a mechanism. There are only two solutions: 1. Disable ping reply to your hosts (annoys some people, but prevents this attacks..) 2. Disable packets to broadcast addresses on the SOURCE networks. This is the only reliable solution, since only the local admin knows what the nets are. ( Unfortunately, cisco router filters are perfectly blind to this sort of attack. You need two or three filters for each one ...) > I think it would be very wise of cisco to have a global flag > (or at least, a per-interface flag) which would prevent the forwarding > of a packet to an all-ones address. If cisco won't add this feature, Yes! -- Joe Rhett Systems Engineer [email protected] ISite Services PGP keys and contact information: http://www.navigist.com/Staff/JRhett
|